Search code examples
firebase-cloud-messaging

Firebase Cloud Messaging Device Group Management via HTTP v1 auth

I'm moving my FCM implementation from Legacy API to the new HTTP v1 api.

I've already created my service account with firebase-adminsdk

I've also managed to send push notifications using HTTP v1 to device group tokens using the new JWT auth tokens generated from the service account json.

My problem is I'm getting a 401 unauthorized error when managing device groups from the legacy API

https://firebase.google.com/docs/cloud-messaging/android/device-group

https://fcm.googleapis.com/fcm/notification
Content-Type:application/json
Authorization: Bearer ya29.ElqKBGN2Ri_Uz...HnS_uNreA
project_id:SENDER_ID

{
   "operation": "create",
   "notification_key_name": "appUser-Chris",
   "registration_ids": ["bk3RNwTe3H0:CI2k_HHwgIpoDKCIZvvDMExUdFQ3P1...",
                        "cR1rjyj4_Kc:APA91bGusqbypSuMdsh7jSNrW4nzsM...",
                        ... ]

From the documentation it shows that they are using new JWT tokens to authorize management of device groups instead of the old server keys. (Server keys are also going to be decommissioned next year). My question is what exactly am I missing here? How exactly do I use the new service account to manage device groups?

Tried using firebase-admin-sdk json to generate JWT token to use in the device group API. Returns 401

Update

The details regarding FCM device groups can be found here: https://firebase.google.com/docs/cloud-messaging/android/device-group#creating_a_device_group

Here is an example Request and subsequent response showing the issue.

Request:

 POST /fcm/notification HTTP/1.1
 Host: fcm.googleapis.com
 Content-length: 194
 Project_id: XXXXREMOVEDXXXX
 Content-type: application/json
 Authorization: Bearer ya29.removed:removed
 {
     "operation": "create",
     "notification_key_name": "test-group",
     "registration_ids": ["devicetokenidhere1","devicetokenidhere2"]
 }

Response:

 HTTP/1.1 401 Unauthorized
 Content-length: 147
 X-xss-protection: 1; mode=block
 Content-security-policy: frame-ancestors 'self'
 X-content-type-options: nosniff
 Transfer-encoding: chunked
 Expires: Wed, 28 Jun 2023 14:24:59 GMT
 Server: GSE
 -content-encoding: gzip
 Cache-control: private, max-age=0
 Date: Wed, 28 Jun 2023 14:24:59 GMT
 X-frame-options: SAMEORIGIN
 Alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
 Content-type: text/html; charset=UTF-8
 <HTML>
 <HEAD>
 <TITLE>Unauthorized</TITLE>
 </HEAD>
 <BODY BGCOLOR="#FFFFFF" TEXT="#000000">
 <H1>Unauthorized</H1>
 <H2>Error 401</H2>
 </BODY>
 </HTML>

My initial thoughts were perhaps we have to change something in the Google Cloud credentials, however there are no issues when posting a message to any one specific token ID using "https://fcm.googleapis.com/v1/projects/myproject-id-here/messages:send". The 401 only occurs when trying to use a device group. Secondly I thought that now the Legacy version is being removed, perhaps they need to update the "https://fcm.googleapis.com/fcm/notification" URL to v1 too?

Solution

  • Looks like the documentation has already been updated. We can now use http v1 authentication with the device group management api by adding this in the header

    access_token_auth: true

    Reference: https://firebase.google.com/docs/cloud-messaging/android/device-group